It is now being reported that a hacker is listing millions of pieces of stolen data from the family genetics site 23andMe for sale online.
The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see.Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase.The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.
23andMe is a company that specializes in DNA testing that helps users learn more about their ancestry, as well as potential health conditions and traits that may be inherited..
Since news of the hack, many customers have expressed worries their ethnicity and other sensitive information could be used against them if leaked. A U.S. lawmaker last week sought more detail on the leaks.Several users on social media on Tuesday said they got the email, but it was unclear how many customers had been informed. 23andMe spokeswoman Katie Watson declined to comment, citing its ongoing probe, and referred to the blog where the company said on Oct. 20 that it was temporarily disabling features in the “DNA Relatives” to protect user privacy.Earlier, the company had said hackers may have used credentials leaked from other websites to breach 23andMe accounts – a technique known as ‘credential stuffing’. It advised users change their login information and enable two-factor authentication to prevent compromise.
Connecticut Attorney General William Tong is seeking information from the company about the breach.
“I understand that the 23andMe breach resulted in the targeted exfiltration and sale on the black market of at least 1 million data profiles pertaining to individuals with Ashkenazi Jewish heritage. According to reports, a second leak revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web. Finally, most recent reports point to a third leak of information from 23andMe’s “DNA Relatives” feature containing the genetic ancestry information of an estimated 4 million individuals. I also understand from those reports that the threat actor claims to possess more than 300 terabytes of 23andMe data,” Tong said in an inquiry letter to the company.Tong noted that the leak may especially endanger the targeted groups.“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public,” he wrote.The company has not yet notified the attorney general’s office of the data breach as required by law, Tong said in a release. He said the company may also be in violation of the Connecticut Data Privacy Act, which imposes data security obligations on companies that collect such data.
Interestingly, last year at this time, a group of geneticists from the Hebrew University of Jerusalem and Harvard Medical School published their DNA study that provided insights into medieval genetic diversity and illuminated the ‘founder event’ of the formation of the Ashkenazi Jewish population.
About half of Jewish people around the world today identify as Ashkenazi, meaning that they descend from Jews who lived in Central or Eastern Europe. The term was initially used to define a distinct cultural group of Jews who settled in the 10th century in the Rhineland in western Germany….Erfurt’s medieval Jewish community existed between the 11th and 15th centuries, with a short gap following a massacre in 1349. At times, it thrived and was one of the largest Jewish communities in Germany. Following the expulsion of all Jews in 1454, the city built a granary on top of the Jewish cemetery.In 2013, the granary stood empty and the city permitted its conversion into a parking lot. This required additional construction and an archaeological rescue excavation. The genetics team received a special permit from the local Jewish community, which allowed the researchers to retrieve DNA from detached teeth that had already been collected as part of the rescue excavation.The analysis revealed two distinct subgroups within the remains: one with greater Middle Eastern ancestry, which may represent Jews with origins in Western Germany, and another with greater Eastern and Central European ancestry. The modern Ashkenazi population formed as a mix of these groups and absorbed little to no outside genetic influences over the 600 years that followed, the authors said.
Hopefully, the main consequence of this event will be stronger protections for data implemented by DNA testing firms. Genetics provides a great deal of historical insight and health data. It would be shameful to allow hackers and terrorists to poison its usefulness.
CLICK HERE FOR FULL VERSION OF THIS STORY